From 162b0e1fda6201b95e1da851b85534c11dcf7f1e Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Mon, 21 Oct 2019 16:39:45 -0400 Subject: [PATCH] Generate script heredoc to prevent collisions --- examples/taskruns/step-script.yaml | 9 +++++++++ pkg/reconciler/taskrun/resources/pod.go | 21 ++++++++++++++------ pkg/reconciler/taskrun/resources/pod_test.go | 12 +++++------ 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/examples/taskruns/step-script.yaml b/examples/taskruns/step-script.yaml index 2d493420ac9..5f24ac73d6a 100644 --- a/examples/taskruns/step-script.yaml +++ b/examples/taskruns/step-script.yaml @@ -32,6 +32,15 @@ spec: #!/usr/bin/env bash /workspace/hello + - name: contains-eof + image: ubuntu + script: | + #!/usr/bin/env bash + cat > file << EOF + this file has some contents + EOF + cat file + - name: node image: node script: | diff --git a/pkg/reconciler/taskrun/resources/pod.go b/pkg/reconciler/taskrun/resources/pod.go index 99deb2b2fb1..9f75c416f0e 100644 --- a/pkg/reconciler/taskrun/resources/pod.go +++ b/pkg/reconciler/taskrun/resources/pod.go @@ -305,16 +305,25 @@ func MakePod(images pipeline.Images, taskRun *v1alpha1.TaskRun, taskSpec v1alpha // Append to the place-scripts script to place the // script file in a known location in the scripts volume. tmpFile := filepath.Join(scriptsDir, names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("script-%d", i))) - // NOTE: quotes around 'EOF' are important. Without - // them, ${}s in the file are interpreted as env vars - // and likely end up replaced with empty strings. See + // heredoc is the "here document" placeholder string + // used to cat script contents into the file. Typically + // this is the string "EOF" but if this value were + // "EOF" it would prevent users from including the + // string "EOF" in their own scripts. Instead we + // randomly generate a string to (hopefully) prevent + // collisions. + heredoc := names.SimpleNameGenerator.RestrictLengthWithRandomSuffix("script-heredoc-randomly-generated") + // NOTE: quotes around the heredoc string are + // important. Without them, ${}s in the file are + // interpreted as env vars and likely end up replaced + // with empty strings. See // https://stackoverflow.com/a/27921346 placeScriptsStep.Args[1] += fmt.Sprintf(`tmpfile="%s" touch ${tmpfile} && chmod +x ${tmpfile} -cat > ${tmpfile} << 'EOF' +cat > ${tmpfile} << '%s' %s -EOF -`, tmpFile, s.Script) +%s +`, tmpFile, heredoc, s.Script, heredoc) // The entrypoint redirecter has already run on this // step, so we just need to replace the image's // entrypoint (if any) with the script to run. diff --git a/pkg/reconciler/taskrun/resources/pod_test.go b/pkg/reconciler/taskrun/resources/pod_test.go index f4b5724113e..271da9a728a 100644 --- a/pkg/reconciler/taskrun/resources/pod_test.go +++ b/pkg/reconciler/taskrun/resources/pod_test.go @@ -512,15 +512,15 @@ print("Hello from Python")`, TTY: true, Args: []string{"-args", `tmpfile="/builder/scripts/script-0-mssqb" touch ${tmpfile} && chmod +x ${tmpfile} -cat > ${tmpfile} << 'EOF' +cat > ${tmpfile} << 'script-heredoc-randomly-generated-78c5n' echo hello from step one -EOF -tmpfile="/builder/scripts/script-1-78c5n" +script-heredoc-randomly-generated-78c5n +tmpfile="/builder/scripts/script-1-6nl7g" touch ${tmpfile} && chmod +x ${tmpfile} -cat > ${tmpfile} << 'EOF' +cat > ${tmpfile} << 'script-heredoc-randomly-generated-j2tds' #!/usr/bin/env python print("Hello from Python") -EOF +script-heredoc-randomly-generated-j2tds `}, VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount}, }}, @@ -543,7 +543,7 @@ EOF Name: "step-two", Image: "image", Command: []string{"entrypointer"}, - Args: []string{"wait-file", "out-file", "-entrypoint", "/builder/scripts/script-1-78c5n"}, + Args: []string{"wait-file", "out-file", "-entrypoint", "/builder/scripts/script-1-6nl7g"}, Env: implicitEnvVars, VolumeMounts: append([]corev1.VolumeMount{{Name: "i-have-a-volume-mount"}}, append(implicitVolumeMounts, scriptsVolumeMount)...), WorkingDir: workspaceDir,